FIX: EventSystem 4609 errors after installing XP SP2

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

Hi,

I've been seeing a particular problem on certain Windows XP computers when
they are updated to Service Pack 2, and judging from posts in these
newsgroups and also on other Internet message boards, it's quite a common
problem. The symptoms are that after SP2 has been installed, and the machine
has been rebooted a few times, the following error message occurs in the
Application Event Log:

Event Type: Error
Event Source: EventSystem
Event Category: (50)
Event ID: 4609
Date: 10/06/2005
Time: 10:40:23
User: N/A
Computer: HISAD
Description:
The COM+ Event System detected a bad return code during its internal
processing. HRESULT was 80070005 from line 44 of
d:\qxp_slp\com\com1x\src\events\tier1\eventsystemobj.cpp. Please contact
Microsoft Product Support Services to report this error.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

Some errors may be slightly different:

Event Type: Error
Event Source: EventSystem
Event Category: (50)
Event ID: 4609
Date: 10/06/2005
Time: 09:30:35
User: N/A
Computer: HISAD
Description:
The COM+ Event System detected a bad return code during its internal
processing. HRESULT was 80080005 from line 44 of
d:\qxp_slp\com\com1x\src\events\tier1\eventsystemobj.cpp. Please contact
Microsoft Product Support Services to report this error.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

and at the same time errors similar to the following (sometimes with a
different GUID number) may occur in the System event log:

Event Type: Error
Event Source: DCOM
Event Category: None
Event ID: 10010
Date: 10/06/2005
Time: 09:53:34
User: NT AUTHORITY\SYSTEM
Computer: HISAD
Description:
The server {8BC3F05E-D86B-11D0-A075-00C04FB68820} did not register with DCOM
within the required timeout.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

I ummed and ahhed over this problem for a while, and eventually found the
following two articles relating to Windows 2000 Service Pack 4:

Overview of the "Impersonate a Client After Authentication" and the "Create
Global Objects" Security Settings (821546.KB.EN-US.2.2)
http://support.microsoft.com/?kbid=821546

Local Security Policy Values May Revert to the Values That Are Stored in
SecEdit.sdb After You Install Windows 2000 Service Pack 4
http://support.microsoft.com/?kbid=827664

It turns out that in Windows 2000 Service Pack 4 two new user rights were
added, "Impersonate a client after authentication" (SeImpersonatePrivilege)
and "Create Global Objects" (SeCreateGlobalPrivilege).

Even though the articles don't say so, it seems that they were also added in
Windows XP Service Pack 2.

However, it seems that *sometimes* something goes wrong in the XP SP2
installer when it sets up these two new user rights. I think this is why some
computers get the above error messages. It doesn't happen all the time, and I
can't see any rhyme or reason to which computers get messed up and which ones
don't. I reckon it's a race condition or some other similar bug in the
installer.

The reason that the problem doesn't always manifest itself straight away is
probably because by default Windows only 'refreshes' its security settings
every 16 hours, and if that refresh is a while away you might not see the
problem for a while. Some networks may also have turned up this refresh time,
so the problem is even worse.

Some sites may also have these settings set (possibly incorrectly) in their
Default Domain Policy group policy, which could also mess things up. However,
at my site we don't have these settings set on the domain anywhere, only in
the Local Security Settings, and yet we still have the problem.

Anyway, if the security settings upgrade goes wrong, you end up with the
error. Fortunately, it seems to be quite easy to fix:

On the affected workstation:
1) Go to Start/Settings/Control Panel/Administrative Tools
2) Run 'Local Security Policy'
3) Go to Security Settings/Local Policies/User Rights Assignments
4) Double click on 'Create global objects'.
The correct default settings are 'Administrators', 'INTERACTIVE' and
'SERVICE'.
5) Double click on 'Impersonate a client after authentication'.
The correct default settings are 'Administrators', 'ASPNET' (if you have
the .NET framework installed) and 'SERVICE'

Even if the settings are set correctly, you may need to 'refresh' them to
fix the problem.
To do this, on each policy, remove one of the entries ('SERVICE' is probably
the best to remove), then press OK to save the changes, and then go back in
and add it back in again (click 'Add User or Group...', type 'SERVICE' into
the white box, and press OK).

Then close the Local Security Settings box and reboot. If you are running in
a domain with Group Policy you might want to force a group policy refresh
before you reboot by running 'gpupdate /force'.

I hope this helps some people!

Regards,

Chris
 
Hi Chris,

I have just installed XP Home Edition on a new PC, and am experiencing
random crashes. The event log shows an identical message to the one you
were talking about:

Christopher said:
Event Type: Error
Event Source: EventSystem
Event Category: (50)
Event ID: 4609
Date: 10/06/2005
Time: 10:40:23
User: N/A
Computer: HISAD
Description:
The COM+ Event System detected a bad return code during its internal
processing. HRESULT was 80070005 from line 44 of
d:\qxp_slp\com\com1x\src\events\tier1\eventsystemobj.cpp. Please
contact
Microsoft Product Support Services to report this error.
Click to expand...

The interesting thing is that I have NOT installed SP2.

Unfortunately, when I try your fix:
On the affected workstation:
1) Go to Start/Settings/Control Panel/Administrative Tools
2) Run 'Local Security Policy'
Click to expand...

I find no "Local Security Policy" under Control Panel/Administrative
Tools!

Actually, I suspect this d**n .Net Framework thing. I wouldn't have
installed it, but it comes with my scanner, an HP ScanJet 4070. After I
install the scanner, I get a Log on screen when I start Windows, asking
me to choose a user account - but only my own account is showing. When
I sought a solution so that I didn't have to go through this step every
time I boot, I was told to de-activate the user ASPNET. This I have
done, but is it possible to get rid of .NET Framework altogether? I
really don't need it, and honestly can't imagine why I would, but HP
insist on installing it so that their automatic update will work.

What can I do now to stop these crashes? I'm getting really frustrated
here. Hope you can point me in the right direction. Thank you in
advance.

Cheers,
Geoff
 
Hi
Just for info, as I am still trying different setup.
I reckon that this problem is caused by the new Msn Messenger v.7
I have tried your reset of the two services with no result
I have disabled different programs like skype, firewall, spyware protection
etc ... without success
But since I have disabled MSN from auto start with windows and taking the
precaution to shut it down if I leave the PC for some time there is no more
warning and no lockup for the last two days.
The problem might also be related in some ways to standby mode, hibernation
or other power save mode???

I hope somebody will find the solution
747John
 
Christopher said:
Hi,

Did you try the fix I mentioned in my second post? See the following
site:
http://techrepublic.com.com/5138-10877_11-5657162.html
Click to expand...
Well actually I hadn't at the time of my last posting. In the meantime
I got so frustrated that I reformated the disk and did a complete new
installation of XP. Sort of hoped that might solve the problem, but no,
the error message was still in the Event Log, every time I booted
Windows, and it didn't take long before it crashed, just as before. So
I tried this other fix you pointed out, but that didn't exactly go as
planned, because when I go to the Remote Procedure Call page, the
option to set the log on to Local System account is grey and cannot be
changed. On the RPC Locator window, it -is- possible to make this
change, and I did so, but it didn't solve the problem.

Anyway, in the mean time I have noticed that the error message I get is
not -exactly- the same as in your original posting. The difference is
that mine says "HRESULT was C0000005 from line 44.....", not 80070005.


So maybe I have been barking up the wrong tree? When I googled for this
particular wording, I got a couple of hits, one of which is fairly
unhelpful, but the other is
http://www.pcreview.co.uk/forums/showthread.php?p=5494742. This appears
to be indicating that the problem may be a -hardware- fault, and nothing
to do with Windows. This is extremely upsetting, since I had come to the
conclusion that if this was a Windows problem, I could at least take it
to the local store where I bought the Windows licence. However, if it
may be a hardware problem I don't know -what- to do. The computer was
bought by mail order, so I guess I have to get on the supplier and
arrange to have it shipped back. I bought a 2 year extended warranty,
so I guess that is OK, but it's a lot of hassle, especially if it turns
out that the problem -is- the Windows installation....

Cheers,
Geoff
 
Oh, by the way, in the course of all my googling, I found the
following:

http://support.microsoft.com/default.aspx?kbid=821546

- which does seem to indicate that Microsoft not only know about the
problem to which you were originally referring, but also that they have
provided a workaround, which is identical to the one you described.
Unfortunately, it doesn't help people like me, who don't have "Local
Security Policy" under "Administrative Tools".

Geoff
 
Yes, if it's a different error code it's almost certainly a different
problem. It sounds like a hardware problem to me. Hope you manage to get it
sorted.
 
Yep, I found that too, although it's not actually listing a 'problem' but a
new feature that was added in 2000 SP4 and XP SP2. I'm not sure but I think
this feature is partly causing the problem. My suggestion doesn't actually
change the settings the way that the article suggests, it just 'refreshes'
them to make sure they were set properly, which might fix the problem
sometimes.

Thanks for posting it anyway.

Regards,
 
Hi there, I have the excact same problem with my win xp pro sp2.
I've been scaveging everything I can find out about it on the net.
One of the last things I did in an attempt to fix this was an upgrade
of my bios, somewhere on the net it was said that it had to do with
windows xp on fairly modern motherboards with old bios's directly
trying to acces some memory, which it is/was not allowed to do. A bios
upgrade was recommended.
but allas, it didn't work for me, I also got the idea the problem was
gone for a some time after my bios's alteration, I too got the idea
that I think msn 7 has something to do with it... cos after my feeling
of relief (thought the prob was gone) I once again started using msn,
and to my suprise when I checked a day later ..... again those errors.
My pc now no longer hangs suddenly, but the error is still there.

Going over all my settings and configuration which I can find I came to
the conclusions that a few hardware devices are using the same IRQ
(vid card, network card, serial buss's), my question to you is; do you
have the same problem ? fairly manny devices using the same IRQ port ?
Mine all seem to like IRQ 11 a lot here ...

mobo: aopen ak33, amd athlon 902mhz, 640 mb

Plus, I have another error in system log, it keeps saying failing to
load viaagp, but all my video card stuff is running fine ????

geforce 4 mx440se
 
Hi,

Everything you've mentioned, I'm afraid, is probably not what is causing the
problem.

The BIOS probably fixes the problem mentioned here:
http://support.microsoft.com/?kbid=283649

I doubt that MSN is causing the problem (the computers I am trying it on
don't have MSN installed - only Windows Messenger 5.0, and besides, MSN
shouldn't affect the RPC service at all).

And the IRQ 'problem' is something that XP does on pretty much every system
that uses ACPI:
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q314068

Sorry about that. I'm pretty sure this is a Microsoft bug that they need to
fix, caused when they separated the RPC service into two components as a
security enhancement in XP SP2. The question is whether they can fix it...

Chris
 
Hmmz, ok, I was aware of the IRQ sharing, but it mostly affected 2 or 3
devices, mine has a total of 5 sharing IRQ 11, and acpi uses IRQ 9.
It's the first time I had this on a win xp installation.

Anaywayz, I'll keep an eye on this discussion, hoping that within
certain amount of time microsoft comes with a fix, and hopefully it
will be discussed here then aswell :)

good luck with it, Lennaert
 
Microsoft Knowledge Base article 909444 has been release recently which may
also help with this problem when the HRESULT is 80070005.

If you have changed the default security permissions on your %systemdrive%
root (usually C:) or on %windir%\registration, you may experience this error.
Under XP SP2 the permissions on %systemdrive% were modified to add
'Everyone/Read and Execute/This folder only' and if organisations change the
%systemdrive% permissions for other reasons (through Group Policy or another
method) they may not be aware of this change.

To reset the permissions on %systemdrive% on a computer, run this command:

%WINDIR%\System32\secedit.exe /configure /db
%windir%\security\Database\rootsec.sdb /cfg
%windir%\security\templates\rootsec.inf

Also check that the permissions on %windir\registration are set as per the
knowledge base article above.
 
Back
Top